PERSONAL DATA RETENTION AND DISPOSAL POLICY



1. The purpose of this policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed fully or partially automatically or by non-automatic means provided that it is a part of any data recording system.

2. This policy; It has been prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was prepared based on the third paragraph of Article 7 of the Law No. 6698 and the subparagraph (e) of the first paragraph of Article 22.

3. Company; It has prepared this personal data retention and destruction policy in accordance with the personal data processing inventory.

4. Definitions
1. Recipient group: It is the natural or legal person category to which personal data is transferred by the data controller.
2. Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.
3. Destruction: Deletion, destruction or anonymity of personal data is the process of making it up.
4. Recording medium: It refers to any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
5. Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; It is the inventory that they create by associating personal data with the processing purposes, data category, transferred recipient group and data subject group, and detailing the maximum time required for the purposes for which personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
6. Personal data retention and destruction policy: This is the policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
7. Periodic destruction: It refers to the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
8. Registry: It refers to the registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
9. Data recording system: It refers to the recording system in which personal data is processed and structured according to certain criteria.
10. Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
11. Deletion of personal data Deletion of personal data is the process of rendering personal data inaccessible and unusable for the relevant users in any way.
12. Destruction of personal data Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
13. Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered incapable of being associated with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning and matching the data with other data by the data controller, recipient or recipient groups.

5. Recording media regulated by the personal data retention and destruction policy:
1. Paper media
1. Paper
2. Manual data recording systems (forms visitor entry book)
3. Written, printed, visual media
2. Electronic media
1. Servers (Domain, backup, e-mail,
2. database, web, file sharing, etc.)
3 Software
4. Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc.)
5. Personal computers (Desktop, laptop)
6. Mobile devices (phone, tablet, etc.)
7. Optical discs (CD , DVD, etc.)
8. Removable memories (USB, Memory Card, etc.)
9. Printer, scanner, copier

6. Legal Grounds Requiring Storage
1. Personal Data Protection Law No. 6698,
2. Turkish Code of Obligations No. 6098,
3. Public Procurement Law No. 4734 ,
4. Law No. 657 on Civil Servants,
5. Law No. 5510 on Social Security and General Health Insurance,
6. Law No. 5651 on Regulation of Publications Made on the Internet and
Fighting Against Crimes Committed Through These Publications ,
8. Public Financial Management Law No. 5018,
9. Occupational Health and Safety Law No. 6331,
10. Law on Access to Information No. 4982,
11. Law No. 3071 on the Use of the Right to Petition
12. Labor Law No. 4857,
13. Higher Education Law No. 2547,
14. Retirement Health Law No. 5434,
15. Social Services Law No. 2828
16. Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions,
17. Regulation on Archive Services
18. It is kept as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.

7. Processing Purposes Requiring Concealment
1. Execution of Emergency Management Processes
2. Execution of Information Security Processes
3. Execution of Employee Candidate / Intern / Student Selection and Placement Process
4. Execution of Application Processes of Employee Candidates
5. Execution of Employee Satisfaction and Loyalty Processes
6. Employees Fulfillment of Obligations Originated from Employment Contract and Legislation for
7. Execution of Benefits and Benefits Processes for Employees
8. Execution of Audit / Ethics Activities
9. Execution of Training Activities
10. Execution of Access Authorities
11. Execution of Activities in Compliance with the Legislation
12. Execution of Finance and Accounting Affairs
13. Ensuring Physical Space Security
14. Assignment Processes Execution
15. Follow-up and Execution of Legal Affairs
16. Carrying out Internal Audit / Investigation / Intelligence Activities
17. Execution of Communication Activities
18. Planning of Human Resources Processes
19. Execution / Supervision of Business Activities
20. Execution of Occupational Health / Safety Activities
21. Receiving and Evaluating Suggestions for Improving Business Processes 22. Executing
Business Continuity Activities
23. Executing Logistics Activities
24. Execution
of Goods / Services Procurement Processes 25. Execution of Goods / Service Sales Processes
26. Execution of Goods / Services Production and Operation Processes
27. Organization and Event Management
28. Execution of Performance Evaluation Processes
29. Execution of Risk Management Processes
30. Execution of Storage and Archive Activities
31. Execution of Social Responsibility and Civil Society Activities
32. Execution of Contract Processes
33 Execution of Sponsorship Activities
34. Execution of Strategic Planning Activities
35. Follow-up of Requests / Complaints
36. Ensuring the Security of Movable Property and Resources
37. Executing Supply Chain Management Processes
38. Executing the Remuneration Policy
39. Ensuring the Security of Data Controller Operations
40. Foreign Personnel Work and Residence Permit Processes
41. Executing Investment Processes
42. Executing Talent / Career Development Activities
43 Providing Information to Authorized Persons, Institutions and Organizations
44. Execution of Management Activities
45. Creation and Tracking of Visitor Records

8. Reasons Requiring Destruction
1. In the event that all the conditions for the processing of personal data cease to exist, the personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
2. Despite the fact that it has been processed in accordance with the provisions of the relevant law, as set out in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, in case the reasons requiring processing are eliminated, the personal data is deleted, at the Company's own discretion or upon the request of the personal data owner. or anonymized.
3. When the person concerned requests the deletion or destruction of his personal data by applying to the Company, this request is immediately taken into consideration in order to fulfill it.
4. If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request. The company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
5. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the Company notifies the third party; It ensures that the necessary actions are taken within the scope of this policy before the third party.
6. If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason, and the refusal will be notified to the relevant person in writing or electronically within thirty days at the latest.

9. Technical and administrative measures taken for the safe storage of personal data and the prevention of unlawful processing and access
1. Network security and application security are ensured.
2. A closed system network is used for personal data transfers via the network.
3. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
4. There are disciplinary regulations that include data security provisions for employees.
5. Training and awareness activities are carried out periodically for employees on data security.
6. An authorization matrix has been created for the employees.
7. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
8. Confidentiality commitments are made.
9. The authorizations of employees who have a change in duty or quit their job in this field are removed.
10. Current anti-virus systems are used.
11. Firewalls are used.
12. The signed contracts contain data security provisions.
13. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential form.
14. Personal data security policies and procedures have been determined.
15. Personal data security issues are reported quickly.
16. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
17. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
18. The security of environments containing personal data is ensured.
19. Personal data is reduced as much as possible.
20. Personal data is backed up and the security of the backed up personal data is also ensured.
21. User account management and authorization control system is implemented and these are also followed.
22. In-house periodic and/or random audits are conducted and made.
23. Existing risks and threats have been identified.
24. Protocols and procedures for special quality personal data security have been determined and implemented.
25. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
26. Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
27. Cyber ​​security measures have been taken and their implementation is constantly monitored.
28. Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
29. Data processing service providers are periodically audited on data security.
30. Awareness of data processing service providers on data security is ensured.

10. Technical and administrative measures taken for the legal destruction of
personal data 1. All transactions regarding the deletion, destruction and anonymization of personal data are carried out and recorded by authorized persons in accordance with policies and procedures.
2. The said records are kept for at least three years, excluding other legal obligations.

11. Personal Data Deletion, Destruction and Anonymization Techniques
1. Physical Destruction Personal data can also be processed by non-automatic means, provided that they are part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later. Example: Disposing of the relevant file by shredding the document.
2. Secure Deletion from Software While deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that it is very likely that it cannot be recovered again.
3. Secure Deletion by Expert In some cases, the company may hire an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field, in a way that cannot be recovered.
4. Techniques for Making Personal Data Anonymous
1. Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person, even by matching them with other data. The company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.
2. In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law. Since the personal data processed by anonymization will be outside the scope of the KVK Law, the rights regulated in the 10th section of the policy will not be valid for this data.
3. Masking Data masking is the method of anonymizing personal data by removing the basic identifier information of personal data from the data set. Example: Name, TR Identity Number, name, surname, etc., which enables the identification of the personal data owner. converting the information into a data set where it becomes impossible to identify the personal data subject.
4. Aggregation With the data aggregation method, many data are aggregated and personal data is rendered incapable of being associated with any person. Example: Revealing that there are 100 customers born in 1975 without showing individual customer's birth years.
5. Data Derivation With the data derivation method, a more general content than the content of personal data is created and it is ensured that personal data cannot be associated with any person. Example: Specifying ages instead of birth dates; specifying the county or city of residence instead of the full address.
6. Data Shuffle (Data Shuffling, Permutation) With the data hashing method, the values ​​in the personal data set are mixed, thereby breaking the bond between the values ​​and individuals. Example: Changing the quality of the voice recordings so that the voices and the data owner cannot be associated or recognized.

12. The titles, units and job descriptions of those involved in the personal data storage and destruction processes:
1. Information Processing Unit Manager; Manages all IT processes of the company.
2. Legal Unit Manager, manages all legal processes of the Company.
3. The Human Resources Manager (Personnel-related matters) manages all personnel processes of the Company.
4. Sales and Marketing Manager (In matters related to customer information); Manages all sales and marketing processes of the company.

13. Table showing retention and destruction periods
NO DATA CATEGORY DATA STORAGE PERIOD
1 Identity 15 YEARS
2 Communication 15 YEARS
3 Location 2 YEARS
4 Personnel 15 YEARS
5 Legal Action 10 YEARS
6 Customer Action 10 YEARS
7 Physical Space Security 2 YEARS
8 Transaction Security 2 YEARS
9 Risk Management 2 YEARS
10 Finance 10 YEARS
11 Professional Experience 10 YEARS
12 Marketing 2 YEARS
13 Audio-Visual Records 10 YEARS
14 Religion 10 YEARS
15 Attire 10 YEARS
16 Union Information 10 YEARS
15 Health Information 10 YEAR
16 Criminal Conviction and Security Measures 10 YEARS
17 Association Membership 10 YEARS
18 Foundation Membership 10 YEARS
*The above periods start from the date of termination of the employment contract for employees, from the date of termination of the contract for suppliers and customers, or from the date of the last transaction if there is no contract, and from the date it is given to the company for other relevant persons.
Periodic destruction periods,
1. The company destroys the personal data whose storage period has expired, within 180 days at the latest from the date of the expiry of the storage period.
2. Company; deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
3. The time interval for periodic destruction is determined by the data controller in accordance with the personal data storage and destruction policy, procedures and the company's work flow. This period cannot exceed six months in any case.

14. Publication and Storage of the Policy The policy is published in two different environments, with wet signature (printed paper) and electronically, and is disclosed to the public on the website.

15. Update Period The Policy is reviewed as needed and the necessary sections are updated.

16. Enforcement The Policy is deemed to have entered into force after its publication on the Company's website.

Data Controller Title: TOYOTETSU AUTOMOTIVE PARTS IND. and TRA. Inc.
Mersis No: 0859019537000018
E-mail Address: toyotetsu@toyotetsu.com.tr
Registered Electronic Mail Address: toyotetsu@hs01.kep.tr
Physical Mail Address: TOSB Automotive Sub-Industry Specialized Organized Industrial Zone 5th Street No:4 41420
Sekerpinar, Cayirova - KOCAELI / TURKEY